Lesson 1.2: Hosting Architecture

Most small businesses are on shared hosting because it's cheap and their web developer set it up that way. Shared hosting works fine until you have real traffic, a real database, or real inventory — at which point it fails in ways that are hard to diagnose because you have no visibility into what's happening at the server level.

The situation

The Anchor build was on a managed WordPress host when I inherited it — one of the major managed WP providers. Managed WordPress hosting sounds like "managed" means someone is watching the server for you. What it actually means is "we've tuned the server for WordPress specifically and we handle updates and backups." That's not nothing, but it also means you're on a shared environment with resource limits that are opaque to you, and your options for tuning PHP-FPM, OPCache, Redis, or MySQL are limited to whatever that provider allows.

The listing page loads at 745 seconds told me something was catastrophically wrong at the application layer, but the hosting environment was also a contributor — specifically, the shared database resource limits and the inability to tune OPCache aggressively.

What I did

I moved to Cloudways on a DigitalOcean underlying instance. Then I wired up Cloudflare Pro in front of it.

Hosting: the spectrum

Tier	What you get	What it costs you
Shared hosting (GoDaddy, Bluehost, etc.)	Cheap, zero maintenance	No server control, opaque resource limits, noisy neighbors
Managed WP (WP Engine, Kinsta, etc.)	WP-specific tuning, good support	Limited configuration surface, WP-only, expensive at scale
Managed cloud (Cloudways, Ploi, RunCloud)	Full server control + managed OS + 1-click deploys	~$30–$100/month for a real machine
Raw VPS (DigitalOcean, Vultr, Linode)	Maximum control, lowest per-resource cost	You manage everything: patches, nginx, PHP-FPM, backups

For a business that needs real configurability — custom PHP settings, Redis object cache, MySQL tuning, OPCache configuration — managed cloud is the right tier. You get full SSH access and control over PHP version and OPCache settings without needing to be a Linux sysadmin who writes nginx configs from scratch.

Cloudways sits on top of DigitalOcean (or AWS, Vultr, etc. — your choice) and gives you a clean control panel for PHP version, OPCache settings, Redis configuration, and server firewall rules. Backups are snapshots of the whole server. Scaling up takes minutes.

The DigitalOcean instance for the Anchor build: 2 vCPU, 4GB RAM. It handles the site with room to spare. For a client paying $500–$2,500/month for a maintained sales platform, hosting cost is a rounding error.

CDN: Cloudflare's tiers

Cloudflare Free is what most people have. It gives you DNS, DDoS mitigation, and basic caching. That's meaningful but it's not a full CDN strategy.

Cloudflare Pro adds:

WAF (Web Application Firewall) — managed rule sets that block SQLi, XSS, and known exploit patterns at the edge before they hit your server
Image optimization (Polish + Mirage) — automatic WebP conversion and lazy-loading
Argo Smart Routing — routes requests through Cloudflare's backbone instead of the public internet for the last-mile hop to your origin server
Rate limiting — per-endpoint request throttling on login pages and API endpoints to block credential-stuffing attacks

The WAF alone earns the Pro cost. A WordPress site without a WAF is a WordPress site that will eventually serve malware or be used in a DDoS amplification attack. WAF at the edge means the attack pattern never reaches PHP — it's blocked in Cloudflare's infrastructure before the request hits your server.

Cloudflare caching rules

Cloudflare Page Rules — key configuration

# Inventory listing pages — Cache Everything
# URL pattern: [domain]/inventory/*
# Cache Level: Cache Everything
# Edge Cache TTL: 4 hours
# Browser Cache TTL: 30 minutes

# Admin area — Bypass Cache (NEVER cache wp-admin)
# URL pattern: [domain]/wp-admin/*
# Cache Level: Bypass

# Logged-in users — Bypass Cache
# Cookie: wordpress_logged_in_*
# Cache Level: Bypass

Cache Everything on inventory pages means listing grids are served from Cloudflare's edge on repeat visits — your origin server never sees the request. For a dealership with thousands of inventory pages, this is meaningful throughput relief.

The bypass rule for wp-admin is non-optional. Caching admin pages causes lost form submissions, stale settings screens, and confusing bugs that are hard to trace.

Why it matters

Your hosting stack is the ceiling on everything else you build. You can have perfect application code and still get timeouts if your server is misconfigured or under-resourced. Conversely, a well-configured server makes mediocre application code perform acceptably.

The Cloudflare WAF matters especially for small businesses because: (a) you don't have a security team, (b) WordPress is the most-targeted CMS on the internet, and (c) a WAF at the edge blocks attacks before they consume server resources. Blocked at Cloudflare = free. Gets through to PHP = costs you CPU, potentially crashes under load.

The Anchor build

Migrated from the existing managed WP host to Cloudways + DigitalOcean. Cloudflare Pro was already in use for DNS; I upgraded the plan and configured the WAF rules, image optimization, and page rules as described above.

The OPCache configuration change on the new host was significant. On the previous host, OPCache was set to defaults. On Cloudways I configured:

OPCache settings — php.ini after migration

opcache.enable=1
opcache.memory_consumption=256
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=10000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.save_comments=1

The memory_consumption=256 and max_accelerated_files=10000 are the important ones for a WP site with many plugins and a large custom plugin. Default OPCache settings allocate 128MB and cache 10,000 files — which sounds like enough until you're running a plugin with 127K lines of PHP.

Do this, not that

Don't use shared hosting for a sales platform. If your business depends on the site working at 2pm on a weekday, shared hosting's resource limits will betray you at exactly that moment.
Put Cloudflare Pro in front of your origin, even if the origin is well-configured. The WAF alone is worth it. The DDoS mitigation above that is free insurance.
Cache inventory and catalog pages aggressively at the CDN layer. Bypass for admin and logged-in users. Everything else — cache it, let the edge serve it.
Tune OPCache for your actual payload size. The defaults assume a small site. If you're running a large plugin, increase memory_consumption and max_accelerated_files.
Set up Cloudflare Page Rules before launch, not after. They take 30 minutes to configure correctly and save you thousands of server requests per day from day one.

← Previous Lesson 1.1 — PHP Version Next → Lesson 1.3 — Custom Theme vs Page Builder

When you’re ready to build

The lessons are yours. When you want it built, we’re here.

Every lesson stays free — no account, no paywall, no email gate, ever. But if you’d rather have this system standing on your business than wire all 48 lessons yourself, leave your email. We’ll send you a direct line to a build — and you’ll be first to hear when we add new tools to the curriculum.

None of this gates a single lesson. The curriculum was free before you got here and it stays that way.

Done learning how it’s built? We’ll build it.

You came here to understand the system, and now you do. If you’d rather have it standing on your business than spend the next three months wiring it yourself, GAP Concierge is the same architecture from these lessons — a white-label AI agent that knows your catalog and captures your leads — set up for you, from $97/mo.

See GAP Concierge →